Differences

This shows you the differences between two versions of the page.

--- blug-canary-2 [2023/04/28 21:07]
BLUG Admin
+++ blug-canary-2 [2024/04/29 15:13] (current)
persmule
@@ Line 3: / Line 3: @@
 Hash: SHA512
-BEIJING GNU/LINUX USER GROUP CANARY (1/3)
+BEIJING GNU/LINUX USER GROUP CANARY (2/3)
 ====================================
-Issued for April 2023.
+Issued for April 2024.
 Don't just trust the contents of this file blindly! Verify the
@@ Line 23: / Line 23: @@
 one is located at:
-* https://beijinglug.club/wiki/doku.php?id=blug-canary-2
+* https://beijinglug.club/wiki/doku.php?id=blug-canary-3
 It is possible that the signatures are not updated at the same time,
@@ Line 61: / Line 61: @@
 . We plan to publish the next of these canary statements in the first three
-weeks of May 2023. Special note should be taken if no new canary is published
+weeks of May 2024. Special note should be taken if no new canary is published
 by that time or if the list of statements changes without plausible explanation.
@@ Line 71: / Line 71: @@
 ~~~~~~~~~~~~~~~~~~~~~~~~
-None.
+. We've found a workaround for importing keys on https://keys.openpgp.org
+without User-ID. The instructions for verifying persmule's signatures have
+been added.
 Canary Verification Procedures
@@ Line 86: / Line 88: @@
 . To verify persmule's signature...
-    a. Unfortunately, it's not possible yet. Recent attacks on OpenPGP key-
+    a. Due to the previous attacks on OpenPGP keyservers, persmule has published
-    servers have raised great security concerns within the community, as a
+    the OpenPGP public key to https://keys.openpgp.org without a User-ID. Using
-    countermeasure, persmule's new public key has been published to the
+    the standard method, it's impossible to import a OpenPGP public key without
-    https://keys.openpgp.org/ keyserver, but without a User-ID. Currently,
+    User-ID. But since April 2013, we have developed a workaround, described
-    it's impossible to import a OpenPGP public key without User-ID for a
+    below.
-rd-party to verify the canary document signed by persmule.
-    b. We are looking for a solution. But for now, you should check the
+    b. Obtain the dummy public key from any traditional OpenPGP Keyserver,
-    canary documents signed by biergaizi and vimacs to decide the validity
+    such as https://keyserver.ubuntu.com, and import the public key. The
-    of the canary documents. This effectively reduced the number of signers
+    fingerprint is 0xEDFFE248ECFACDE3C805906804A40D21DBB89B60. Note that, to
-    to two people. It reduces the level of confidence, but currently there is
+    import this key, one must copy and paste the key in ASCII from the Keyserver
-    no alternative option yet.
+    website to a file or console and use the command "gpg --import". Due to a
+    technical problem, Using "gpg --recv-key" or "gpg --search-keys" does not
+    work.
-    c. Once the technical problem of using a public key without User-ID is
+    c. This is a special dummy public key with its User-IDs and subkeys stripped
-    resolved, you can check the previous signatures retroactively, and this
+    that we specifically created, leaving only a "stub" User-ID (with an invalid
-    would effectively restore the level of confidence. You can archive the
+    E-mail address, "glahamm <yiam5Od@gliwrad.invalid>"). Its sole purpose is
-    documents to your own machine as soon as it's published to ensure no data
+    allowing the subsequent import of additional subkeys.
-    tampering has occurred.
+    d. Next, with the stub key already imported, obtain the public key from
+    https://keys.openpgp.org using the same fingerprint, and import this key.
+    Because the dummy key with its stub User-ID is already in presence, it's
+    now possible to import the https://keys.openpgp.org public key directly.
+    e. Use the latest GnuPG in most operating system, the signatures made by
+    persmule's key can now be verified as usual. Debian is known to work, most
+    other systems should work just fine, but not Fedora. The subkeys contains
+    signatures made with Brainpool curves, which are disabled on Fedora due to
+    potential patent-licensing problems, causing a "Unknown elliptic curve"
+    error.
 . To verify vimacs' signature...
@@ Line 117: / Line 131: @@
 $ rsstail -1 -n5 -N -u https://www.telegraph.co.uk/news/rss.xml
- Surgeons carrying out operations just once a fortnight
+ Friday evening news: King to resume public duties as doctors pleased with cancer treatment briefing
- Dog walker 'beaten to death' after 'altercation' with schoolchildren
+ Thursday evening news briefing: Yousafs political future could lie in Alex Salmonds hands
- Couple ordered to tear down 80k extension built two inches into neighbours' garden
+ Wednesday evening news briefing: Teenage girl arrested after two teachers and pupil stabbed
- Watch: The Coronation souvenirs - the good, the bad and the ugly
+ Tuesday evening news briefing: Sunak unveils biggest military spending increase in a generation
- ChatGPT has better bedside manner than doctors, study finds
+ When is the US election? Everything you need to know about the 2024 race
 $ rsstail -1 -n5 -N -u https://rss.nytimes.com/services/xml/rss/nyt/World.xml
- Russian Missile Strikes on Civilian Buildings Kill at Least 25 in Ukraine
+ Middle East Crisis: Israel Appears to Soften Stance in Cease-Fire Talks
- U.S. Begins Overland Evacuation of American Civilians From Sudan
+ As Anger Grows Over Gaza, Arab Leaders Crack Down on Protests
- The Shining Promise and Dashed Dreams of Chinas Live Shopping Craze
+ Spains Leader, Pedro Snchez, Says He Wont Quit Over Wifes Corruption Case
- Spain Bakes in Summer-Like Heat, and Worries About What Comes Next
+ What to Know: First Trial in Alleged Coup Plot in Germany Begins
- Lord Commander of the DMZ Has Seen It All on the Korean Frontier
+ How Capitalists in Communist Cuba Are an Economic Lifeline
 $ date -R -u
-Fri, 28 Apr 2023 21:06:47 +0000
+Mon, 29 Apr 2024 12:39:48 +0000
 -----BEGIN PGP SIGNATURE-----
-iQIzBAEBCgAdFiEEJVIRsjlaWj4OSKDx+tPrBeiOjW0FAmRMNXsACgkQ+tPrBeiO
+iQIzBAEBCgAdFiEEDfvrUpjKhXrxhHZrG+3+G67tLh4FAmYvlRsACgkQG+3+G67t
-jW10RA/+J33Xii6jeqjszAW3q+xh8Y5qQDgFstJyEbUDVcIUNuMwaOvN5PmrOnXY
+Lh7D5BAAnpSxR8sRz+XTccX6alNRQsBkDrXctZad/JDOauIp5mJyVIMvJjGVoXtO
-TVXRQHX2pUaVIbfLpJopqth3PpZmiNUP1ytjGqNwkwYqmpYpTGb8VmxmZC/oaToh
+vElKoqvvG/X7xSBMasjuYI3LQek3NLi++OG0EF/74HQgKxNKJt39oBy6GYFHXnq
-XUG7ewxYdZ6ofEpHdHj3Mk5BJUKB5dqtySb4hAINJ+8rky7CvjPs5Arf5GrloGCZ
+pYaUNcHGxMs3/rf/EBaazIYxEOQbw2L1wYg6QTrPVRhUmY5+fBbM6IiOLy6c/5ql
-ebVb1lGsSIQB4PZuV3eM6waYDIkQdsau7p04VlOUFryMoOVu/mBUXZeMlxPcYoWi
+WajtZYiV8xClf9NNw9mzx9tSMDyYFLLO3LWnQyzgHizStMSQ6hcAUYigpo4RhqkY
-J/XnY98ZaVg6fLNbc1TiizfMl/WTkV87x+qIqROcg3KRO60PvqEcpu34aEpAIHQo
+KyvkfdV+GUXt1zQvrMgUc7PSF6UGMc5eEpRMB+iaBX68qql85dH7DfpiwTQwCJ
-lZaAdvZ8nqqfFTJZb7pw7XQUx82+jT9hrfKoaccRcDScVXzs9rePhD7d3AiHeLh
+DYqwTJ0amrpyX+lbw5Dpaz2C/dP3NcOIDtLJa/16rWpAOqVi3htSnXAgX6Glxz2f
-ZyXee8q2hIq2XISVTaMok6WPcm7g47N8EJVAAPJpgkxQ1Z0c+frJfJEIxv82jzQ5
+PBlm+OgOlX8ZmfW+YUQUI1ehwNMyEg6chjKS04GMV+Bb5T6U9e4KPADagcCc40cY
-gzx1I//kbGWxvjRsAXWY5oBl1rQiI63Ail2knv5uzilzCpRwZaFesOc75JBszuY
+JXQoRfxxGlmL5tm9rzXDW9JKBGugPhOwU3QYdkk0CrLfPeWXvxgY3ABu0zQPezmI
-JAzbP4R3a18TxsUSu51lCiJtB7wXLI354xSJhZOw/TB33ch/GihONt4IPEqA3M2N
+CjIT+5adixqInzIsiWacoFEKBodXxnHl7fI9V+W6rQOTmmKps9tWkxTXl+pJaGeu
-wGgfOLmy5VOiCViwIUi5Ofz/8t0Fl6lBsjtg19Q6qPNyoa0kTkNeJU1WYAMx0NT7
+aecYOjYuX+DFzrNyBxI2GoYSCxijbkKExzjU70CG5AAdefedTlcRFgqsWd0JVZx/
-+kCblcKGsQdTs5X1uMJVuJARSydrxT1PLToRo/UwyxthBAQk8=
+tkZqot5diwM9PNS2+GY2N837a6WQ+aXf/kp8GCKDfdd+J32CsTo=
-=uncO
+=vX0j
 -----END PGP SIGNATURE-----
 </code>

BLUG Wiki

User Tools

Site Tools

Differences

Page Tools